Remove GuestAttestation logic (#23338)

* remove guest attestation

* remove from vm

* remove disableintegritymonitoring

* Update ChangeLog.md

* missed a couple

* Create BreakingChangeIssues.csv

* remove param from md

* handle breaking change error and weird param set errors

* Update BreakingChangeIssues.csv

* test added

* removed old test

---------

Co-authored-by: Yabo Hu <[email protected]>

Author: Sandido

src/Compute/Compute.Test/ScenarioTests/VirtualMachineScaleSetTests.cs

@@ -403,6 +403,13 @@ public void TestVirtualMachineScaleSetSecurityTypeDefaultingFromImage()
             TestRunner.RunTestScript("Test-VirtualMachineScaleSetSecurityTypeDefaultingFromImage");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void TestVirtualMachineScaleSetSecurityTypeAndFlexDefaults()
+        {
+            TestRunner.RunTestScript("Test-VirtualMachineScaleSetSecurityTypeAndFlexDefaults");
+        }
+        
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]
         public void TestVirtualMachineScaleSetSecurityTypeNoVMProfile()

src/Compute/Compute.Test/ScenarioTests/VirtualMachineScaleSetTests.ps1

@@ -5228,12 +5228,12 @@ function Test-VirtualMachineScaleSetSecurityTypeNoVMProfile
         # Common
         New-AzResourceGroup -Name $rgname -Location $loc -Force;
         $vmssName = 'vmss' + $rgname;
-        
+
         # Create TL Vmss
         $vmssConfig = New-AzVmssConfig -loc $loc;
         New-AzVmss -ResourceGroupName $rgname -VMScaleSetName $vmssName -VirtualMachineScaleSet $vmssConfig;
         $vmssGet = Get-AzVmss -ResourceGroupName $rgname -VMScaleSetName $vmssName;
-        
+
         Assert-Null $vmssGet.VirtualMachineProfile;
         Assert-AreEqual $vmssGet.OrchestrationMode "Flexible"; 
     }
@@ -5242,4 +5242,45 @@ function Test-VirtualMachineScaleSetSecurityTypeNoVMProfile
         # Cleanup
         Clean-ResourceGroup $rgname;
     }
+}
+
+<#
+.SYNOPSIS
+Test Virtual Machine Scale Set securityType TrustedLaunch is default
+and also defaults in Vmss Flex.
+#>
+function Test-VirtualMachineScaleSetSecurityTypeAndFlexDefaults
+{
+    # Setup
+    $rgname = Get-ComputeTestResourceName;
+    $loc = Get-ComputeVMLocation;
+
+    try
+    {
+        # Common
+        New-AzResourceGroup -Name $rgname -Location $loc -Force;
+
+        $vmssName1 = 'vmss1' + $rgname;
+
+        $domainNameLabel1 = "d1" + $rgname;
+        $enable = $true;
+        $securityType = "TrustedLaunch";
+        $adminUsername = Get-ComputeTestResourceName;
+        $password = Get-PasswordForVM;
+        $adminPassword = $password | ConvertTo-SecureString -AsPlainText -Force;
+        $cred = New-Object System.Management.Automation.PSCredential ($adminUsername, $adminPassword);
+
+        # Requirements for the TrustedLaunch default behavior.
+        $res = New-AzVmss -ResourceGroupName $rgname -Credential $cred -VMScaleSetName $vmssName1 -DomainNameLabel $domainNameLabel1;
+
+        Assert-AreEqual $res.VirtualMachineProfile.SecurityProfile.SecurityType $securityType;
+        Assert-AreEqual $res.VirtualMachineProfile.SecurityProfile.UefiSettings.VTpmEnabled $enable;
+        Assert-AreEqual $res.VirtualMachineProfile.SecurityProfile.UefiSettings.SecureBootEnabled $enable;
+        Assert-AreEqual $res.OrchestrationMode "Flexible";
+    }
+    finally
+    {
+        # Cleanup
+        Clean-ResourceGroup $rgname;
+    }
 }

src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.cs

@@ -514,13 +514,6 @@ public void TestVirtualMachinePlatformFaultDomain()
         {
             TestRunner.RunTestScript("Test-VirtualMachinePlatformFaultDomain");
         }
-
-        [Fact]
-        [Trait(Category.AcceptanceType, Category.LiveOnly)]
-        public void TestVirtualMachineGuestAttestation()
-        {
-            TestRunner.RunTestScript("Test-VirtualMachineGuestAttestation");
-        }
 
         [Fact]
         [Trait(Category.AcceptanceType, Category.CheckIn)]

src/Compute/Compute.Test/ScenarioTests/VirtualMachineTests.ps1

@@ -6061,93 +6061,6 @@ function Test-VirtualMachinePlatformFaultDomain
     }
 }
 
-<#
-.SYNOPSIS
-Test GuestAttestation defaulting behavior.
-1) SecurityType is TrustedLaunch.
-2) EnableVtpm is true.
-3) EnabledSecureBoot is true.
-4) DisableIntegrityMonitoring is not true.
-Then this test removes the VM and recreates it with -DisableIntegrityMonitoring set to true so the
-Guest Attestation extension is not installed.
-
-This test has been moved to LiveOnly. The GuestAttestation defaulting logic has been removed as per the feature team informing
-us that it was pulled back from other clients due to perf concerns but we were not informed of that at the time. 
-#>
-function Test-VirtualMachineGuestAttestation
-{
-    # Setup
-    $rgname = Get-ComputeTestResourceName;
-    $loc = Get-ComputeVMLocation;
-
-    try
-    {
-        New-AzResourceGroup -Name $rgname -Location $loc -Force;
-
-        # VM Profile & Hardware
-        $vmname = 'vm' + $rgname;
-        $domainNameLabel = "d1" + $rgname;
-
-        $vnetname = "myVnet";
-        $vnetAddress = "10.0.0.0/16";
-        $subnetname = "slb" + $rgname;
-        $subnetAddress = "10.0.2.0/24";
-        $OSDiskName = $vmname + "-osdisk";
-        $NICName = $vmname+ "-nic";
-        $NSGName = $vmname + "-NSG";
-        $OSDiskSizeinGB = 128;
-        $VMSize = "Standard_DS2_v2";
-        $PublisherName = "MicrosoftWindowsServer";
-        $Offer = "WindowsServer";
-        $SKU = "2022-datacenter-smalldisk-g2";
-        $securityType = "TrustedLaunch";
-        $secureboot = $true;
-        $vtpm = $true;
-        $extDefaultName = "GuestAttestation";
-        $vmGADefaultIDentity = "SystemAssigned";
-
-        # Creating a VM using Simple parameterset
-        $password = Get-PasswordForVM;
-        $securePassword = $password | ConvertTo-SecureString -AsPlainText -Force;  
-        $user = "admin01";
-        $cred = New-Object System.Management.Automation.PSCredential ($user, $securePassword);
-
-        $frontendSubnet = New-AzVirtualNetworkSubnetConfig -Name $subnetname -AddressPrefix $subnetAddress;
-
-        $vnet = New-AzVirtualNetwork -Name $vnetname -ResourceGroupName $rgname -Location $loc -AddressPrefix $vnetAddress -Subnet $frontendSubnet;
-         
-        $nsgRuleRDP = New-AzNetworkSecurityRuleConfig -Name RDP  -Protocol Tcp  -Direction Inbound -Priority 1001 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow;
-        $nsg = New-AzNetworkSecurityGroup -ResourceGroupName $RGName -Location $loc -Name $NSGName  -SecurityRules $nsgRuleRDP;
-        $nic = New-AzNetworkInterface -Name $NICName -ResourceGroupName $RGName -Location $loc -SubnetId $vnet.Subnets[0].Id -NetworkSecurityGroupId $nsg.Id -EnableAcceleratedNetworking;
-
-        # VM
-        $vmConfig = New-AzVMConfig -VMName $vmName -VMSize $VMSize;
-        Set-AzVMOperatingSystem -VM $vmConfig -Windows -ComputerName $vmName -Credential $cred;
-        Set-AzVMSourceImage -VM $vmConfig -PublisherName $PublisherName -Offer $Offer -Skus $SKU -Version latest ;
-        Add-AzVMNetworkInterface -VM $vmConfig -Id $nic.Id;
-        $vmConfig = Set-AzVMSecurityProfile -VM $vmConfig -SecurityType $securityType;
-        $vmConfig = Set-AzVmUefi -VM $vmConfig -EnableVtpm $vtpm -EnableSecureBoot $secureboot;
-
-        New-AzVM -ResourceGroupName $RGName -Location $loc -VM $vmConfig ;
-        $vm = Get-AzVm -ResourceGroupName $rgname -Name $vmName;
-        $vmExt = Get-AzVMExtension -ResourceGroupName $rgname -VMName $vmName -Name $extDefaultName;
-
-        # Assert the default extension has been installed, and the Identity.Type defaulted to SystemAssigned.
-        Assert-AreEqual $vmExt.Name $extDefaultName;
-        Assert-AreEqual $vm.Identity.Type $vmGADefaultIDentity;
-
-        Remove-AzVm -ResourceGroupName $rgname -Name $vmname -Force;
-        New-AzVM -ResourceGroupName $RGName -Location $loc -VM $vmConfig -DisableIntegrityMonitoring;
-        Assert-ThrowsContains {
-            $vmExtError = Get-AzVMExtension -ResourceGroupName $rgname -VMName $vmName -Name $extDefaultName; } "For more details please go to https://aka.ms/ARMResourceNotFoundFix";
-    }
-    finally 
-    {
-        # Cleanup
-        Clean-ResourceGroup $rgname;
-    }
-}
-
 <#
 .SYNOPSIS
 Test to ensure the TimeCreated property is returned in the VM and VMSS models.

src/Compute/Compute.Test/SessionRecords/Microsoft.Azure.Commands.Compute.Test.ScenarioTests.VirtualMachineScaleSetTests/TestVirtualMachineScaleSetSecurityTypeAndFlexDefaults.json

@@ -33,6 +33,7 @@
 * Added new parameter `-VirtualMachineScaleSetId` to `Update-AzVm` cmdlet.
 * Fixed `New-AzVmss` and `New-Azvm` to use `SharedGalleryImageId` parameter.
 * Reducing File Permissions from 0644 to 0600 for SSH Private Key File in `New-AzVm`.
+* Remove GuestAttestaion vm extension installation for Vmss and Vm creation cmdlets. 
 
 
 ## Version 6.3.0

src/Compute/Compute.Test/SessionRecords/Microsoft.Azure.Commands.Compute.Test.ScenarioTests.VirtualMachineTests/TestVirtualMachineGuestAttestation.json

@@ -154,12 +154,6 @@ public override void ExecuteCmdlet()
                                 }
                             }
                             // END: For Cross-tenant RBAC sharing
-                            // GuestAttestation install scenario
-                            if (shouldGuestAttestationExtBeInstalled(parameters) &&
-                               parameters.Identity == null)
-                            {
-                                parameters.Identity = new VirtualMachineScaleSetIdentity(null, null, Microsoft.Azure.Management.Compute.Models.ResourceIdentityType.SystemAssigned, null);
-                            }
 
                             // Standard securityType is currently not supported in API, jsut used on client side for now,
                             // so removing it here before API call is made. 
@@ -194,93 +188,6 @@ public override void ExecuteCmdlet()
                                 result = VirtualMachineScaleSetsClient.CreateOrUpdate(resourceGroupName, vmScaleSetName, parameters);
                             }
 
-                            //Guest Attestation extension defaulting behavior check.
-                            if (shouldGuestAttestationExtBeInstalled(parameters))
-                            {
-                                string extensionNameGA = "GuestAttestation";
-                                var extensionDirect = new VirtualMachineScaleSetExtension();
-                                if (this.VirtualMachineScaleSet.VirtualMachineProfile == null)
-                                {
-                                    this.VirtualMachineScaleSet.VirtualMachineProfile = new PSVirtualMachineScaleSetVMProfile();
-                                }
-                                // ExtensionProfile
-                                if (this.VirtualMachineScaleSet.VirtualMachineProfile.ExtensionProfile == null)
-                                {
-                                    this.VirtualMachineScaleSet.VirtualMachineProfile.ExtensionProfile = new PSVirtualMachineScaleSetExtensionProfile();
-                                }
-                                // Extensions
-                                if (this.VirtualMachineScaleSet.VirtualMachineProfile.ExtensionProfile.Extensions == null)
-                                {
-                                    this.VirtualMachineScaleSet.VirtualMachineProfile.ExtensionProfile.Extensions = new List<PSVirtualMachineScaleSetExtension>();
-                                }
-                                if (parameters.VirtualMachineProfile.OsProfile != null)
-                                {
-                                    if (parameters.VirtualMachineProfile.OsProfile.LinuxConfiguration != null)
-                                    {
-                                        extensionDirect.Name = extensionNameGA;
-                                        extensionDirect.Publisher = "Microsoft.Azure.Security.LinuxAttestation";
-                                        extensionDirect.Type1 = extensionNameGA;
-                                        extensionDirect.TypeHandlerVersion = "1.0";
-                                        extensionDirect.EnableAutomaticUpgrade = true;
-                                    }
-                                    else
-                                    {
-                                        extensionDirect.Name = extensionNameGA;
-                                        extensionDirect.Publisher = "Microsoft.Azure.Security.WindowsAttestation";
-                                        extensionDirect.Type1 = extensionNameGA;
-                                        extensionDirect.TypeHandlerVersion = "1.0";
-                                        extensionDirect.EnableAutomaticUpgrade = true;
-                                    }
-                                }
-                                VirtualMachineScaleSetUpdate parametersupdate = new VirtualMachineScaleSetUpdate();
-                                parametersupdate.VirtualMachineProfile = new VirtualMachineScaleSetUpdateVMProfile();
-                                parametersupdate.VirtualMachineProfile.ExtensionProfile = new VirtualMachineScaleSetExtensionProfile();
-                                parametersupdate.VirtualMachineProfile.ExtensionProfile.Extensions = new List<VirtualMachineScaleSetExtension>();
-                                parametersupdate.VirtualMachineProfile.ExtensionProfile.Extensions.Add(extensionDirect);
-                                result = VirtualMachineScaleSetsClient.Update(resourceGroupName, vmScaleSetName, parametersupdate);
-                                var vmssVmExtParams = new VirtualMachineScaleSetVMExtension();
-                                var resultVmssVm = VirtualMachineScaleSetVMsClient.List(resourceGroupName, vmScaleSetName);
-                                var resultList = resultVmssVm.ToList();
-                                var nextPageLink = resultVmssVm.NextPageLink;
-                                while (!string.IsNullOrEmpty(nextPageLink))
-                                {
-                                    var pageResult = VirtualMachineScaleSetVMsClient.ListNext(nextPageLink);
-                                    foreach (var pageItem in pageResult)
-                                    {
-                                        resultList.Add(pageItem);
-                                    }
-                                    nextPageLink = pageResult.NextPageLink;
-                                }
-                                foreach (var currentVmssVm in resultList)
-                                {
-                                    if (currentVmssVm.StorageProfile != null &&
-                                        currentVmssVm.StorageProfile.OsDisk != null)
-                                    {
-                                        if (currentVmssVm.StorageProfile.OsDisk.OsType == OperatingSystemTypes.Linux)
-                                        {
-                                            vmssVmExtParams = new VirtualMachineScaleSetVMExtension
-                                            {
-                                                Publisher = "Microsoft.Azure.Security.LinuxAttestation",
-                                                Type1 = extensionNameGA,
-                                                TypeHandlerVersion = "1.0",
-                                                EnableAutomaticUpgrade = true
-                                            };
-                                        }
-                                        else
-                                        {
-                                            vmssVmExtParams = new VirtualMachineScaleSetVMExtension
-                                            {
-                                                Publisher = "Microsoft.Azure.Security.WindowsAttestation",
-                                                Type1 = extensionNameGA,
-                                                TypeHandlerVersion = "1.0",
-                                                EnableAutomaticUpgrade = true
-                                            };
-                                        }
-                                        var opt = this.VirtualMachineScaleSetVMExtensionsClient.CreateOrUpdateWithHttpMessagesAsync(resourceGroupName, vmScaleSetName, currentVmssVm.InstanceId, extensionNameGA, vmssVmExtParams);
-                                    }
-                                }
-                            }
-
                             var psObject = new PSVirtualMachineScaleSet();
                             ComputeAutomationAutoMapperProfile.Mapper.Map<VirtualMachineScaleSet, PSVirtualMachineScaleSet>(result, psObject);
                             WriteObject(psObject);
@@ -419,36 +326,6 @@ private void trustedLaunchDefaultingImageValues()
 
         }
 
-        /// <summary>
-        /// Check to see if the Guest Attestation extension should be installed and Identity set to SystemAssigned.
-        /// Requirements for this scenario to be true:
-        /// 1) DisableIntegrityMonitoring is not true.
-        /// 2) SecurityType is TrustedLaunch.
-        /// 3) SecureBootEnabled is true.
-        /// 4) VTpmEnabled is true.
-        /// </summary>
-        /// <param name="vmssParameters"></param>
-        /// <returns></returns>
-        private bool shouldGuestAttestationExtBeInstalled(VirtualMachineScaleSet vmssParameters)
-        {
-            if (this.DisableIntegrityMonitoring != true &&
-                    vmssParameters != null &&
-                    vmssParameters.OrchestrationMode != "Flexible" &&
-                    vmssParameters.VirtualMachineProfile != null &&
-                    vmssParameters.VirtualMachineProfile.SecurityProfile != null &&
-                    vmssParameters.VirtualMachineProfile.SecurityProfile.SecurityType?.ToLower() == ConstantValues.TrustedLaunchSecurityType &&
-                    vmssParameters.VirtualMachineProfile.SecurityProfile.UefiSettings != null &&
-                    vmssParameters.VirtualMachineProfile.SecurityProfile.UefiSettings.SecureBootEnabled == true &&
-                    vmssParameters.VirtualMachineProfile.SecurityProfile.UefiSettings.VTpmEnabled == true)
-            {
-                return true;
-            }
-            else
-            {
-                return false;
-            }
-        }
-
         /// This somewhat contradicts with the above behavior that sets UpgradePolicy to null.
         /// There is some concern with the above behavior being correct or not, and requires additional testing before changing.
         private void checkFlexibleOrchestrationModeParamsDefaultParamSet(VirtualMachineScaleSet parameters)
@@ -520,11 +397,5 @@ private int convertAPIVersionToInt(string networkAPIVersion)
             HelpMessage = "UserData for the Vmss, which will be Base64 encoded. Customer should not pass any secrets in here.",
             ValueFromPipelineByPropertyName = true)]
         public string UserData { get; set; }
-
-        [Parameter(
-           Mandatory = false,
-           ValueFromPipelineByPropertyName = true,
-           HelpMessage = "This flag disables the default behavior to install the Guest Attestation extension to the virtual machine if: 1) SecurityType is TrustedLaunch, 2) SecureBootEnabled on the SecurityProfile is true, 3) VTpmEnabled on the SecurityProfile is true.")]
-        public SwitchParameter DisableIntegrityMonitoring { get; set; }
     }
 }